{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:41:44Z","timestamp":1750308104079,"version":"3.41.0"},"reference-count":23,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2005,5,15]],"date-time":"2005-05-15T00:00:00Z","timestamp":1116115200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGSOFT Softw. Eng. Notes"],"published-print":{"date-parts":[[2005,7]]},"abstract":"<jats:p>\n            Program vulnerabilities leave organizations open to malicious attacks that can result in severe damage to company finances, resources, consumer privacy, and data. Engineering applications and systems so that vulnerabilities do not exist would be the best solution, but this strategy may be impractical due to fiscal constraints or inadequate knowledge. Therefore, a variety of program and system-based solutions have been proposed to deal with vulnerabilities in a manageable way. Unfortunately, proposed strategies are often poorly tested, because current testing techniques focus on the common case whereas vulnerabilities are often exploited by uncommon inputs.In this paper, we present the\n            <jats:italic>design<\/jats:italic>\n            of a testing framework that enables the efficient, automatic and systematic testing of security mechanisms designed to prevent program-based attacks. The key insight of the framework is that dynamic compilation technology allows us to insert and simulate attacks during program execution. Thus, a security mechanism can be tested using\n            <jats:italic>any<\/jats:italic>\n            program, not only those with known vulnerabilities.\n          <\/jats:p>","DOI":"10.1145\/1082983.1083208","type":"journal-article","created":{"date-parts":[[2005,11,7]],"date-time":"2005-11-07T19:28:32Z","timestamp":1131391712000},"page":"1-7","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["A framework for testing security mechanisms for program-based attacks"],"prefix":"10.1145","volume":"30","author":[{"given":"Ben","family":"Breech","sequence":"first","affiliation":[{"name":"University of Delaware, Newark, DE"}]},{"given":"Lori","family":"Pollock","sequence":"additional","affiliation":[{"name":"University of Delaware, Newark, DE"}]}],"member":"320","published-online":{"date-parts":[[2005,5,15]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"AlephOne. Smashing the stack for fun and profit. http:\/\/www.insecure.org\/stf\/smashstack.txt.  AlephOne. Smashing the stack for fun and profit. http:\/\/www.insecure.org\/stf\/smashstack.txt."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.5555\/1267724.1267745"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/349299.349342"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.5555\/1018431.1021456"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSMR.2005.1"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5555\/776261.776290"},{"key":"e_1_2_1_7_1","unstructured":"D. L. Bruening. Efficient Transparent and Comprehensive Runtime Code Manipulation. PhD thesis M.I.T. 2004.   D. L. Bruening. Efficient Transparent and Comprehensive Runtime Code Manipulation. PhD thesis M.I.T. 2004."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1177\/109434200001400404"},{"volume-title":"International Conference on Distributed Computing Systems","year":"2001","author":"Chiueh T.","key":"e_1_2_1_9_1"},{"key":"e_1_2_1_10_1","unstructured":"M. Conover. w00w00 on heap overflows. http:\/\/www.w00w00.org\/files\/articles\/heaptut.txt.  M. Conover. w00w00 on heap overflows. http:\/\/www.w00w00.org\/files\/articles\/heaptut.txt."},{"key":"e_1_2_1_11_1","unstructured":"C. Cowan. Re: Buffer overflow and the OS\/390. http:\/\/cert.uni-stuttgart.de\/archive\/bugtraq\/1999\/02\/msg00081.html 1999.  C. Cowan. Re: Buffer overflow and the OS\/390. http:\/\/cert.uni-stuttgart.de\/archive\/bugtraq\/1999\/02\/msg00081.html 1999."},{"volume-title":"USENIX Security Symposium","year":"2003","author":"Cowan C.","key":"e_1_2_1_12_1"},{"volume-title":"USENIX Security Symposium","year":"1998","author":"Cowan C.","key":"e_1_2_1_13_1"},{"key":"e_1_2_1_14_1","unstructured":"S. Designer. NonExecutable user stack. http:\/\/www.openwall.com\/linux.  S. Designer. NonExecutable user stack. http:\/\/www.openwall.com\/linux."},{"key":"e_1_2_1_15_1","unstructured":"DilDog. The tao of windows buffer overflow. http:\/\/www.cultdeadcow.com\/c{D}c_files\/c{D}c-351.  DilDog. The tao of windows buffer overflow. http:\/\/www.cultdeadcow.com\/c{D}c_files\/c{D}c-351."},{"key":"e_1_2_1_16_1","unstructured":"H. Etoh and K. Yoda. GCC extension for protecting applications from stack-smashing attacks. http:\/\/www.research.ibm.com\/trl\/projects\/security\/ssp\/ 2000.  H. Etoh and K. Yoda. GCC extension for protecting applications from stack-smashing attacks. http:\/\/www.research.ibm.com\/trl\/projects\/security\/ssp\/ 2000."},{"volume-title":"Automatic and Algorithm Debugging","year":"1997","author":"Jones R. W. M.","key":"e_1_2_1_17_1"},{"key":"e_1_2_1_18_1","unstructured":"Klog. Frame pointer overwrite. http:\/\/www.phrack.org\/show.php?p=55&a=8.  Klog. Frame pointer overwrite. http:\/\/www.phrack.org\/show.php?p=55&a=8."},{"key":"e_1_2_1_19_1","unstructured":"Mudge. How to write buffer overflows. http:\/\/www.insecure.org\/stf\/mudge_buffer_overflow_tutorial.html 1995.  Mudge. How to write buffer overflows. http:\/\/www.insecure.org\/stf\/mudge_buffer_overflow_tutorial.html 1995."},{"journal-title":"Newsham. Format string attacks. http:\/\/www.lava.net\/~newsham\/format-string-attacks.pdf.","author":"T.","key":"e_1_2_1_20_1"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/508171.508175"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/66093.66095"},{"volume-title":"International Information Assurance Workshop","year":"2004","author":"Zhu G.","key":"e_1_2_1_23_1"}],"container-title":["ACM SIGSOFT Software Engineering Notes"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1082983.1083208","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1082983.1083208","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T16:08:05Z","timestamp":1750262885000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1082983.1083208"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2005,5,15]]},"references-count":23,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2005,7]]}},"alternative-id":["10.1145\/1082983.1083208"],"URL":"https:\/\/doi.org\/10.1145\/1082983.1083208","relation":{"is-identical-to":[{"id-type":"doi","id":"10.1145\/1083200.1083208","asserted-by":"subject"}]},"ISSN":["0163-5948"],"issn-type":[{"type":"print","value":"0163-5948"}],"subject":[],"published":{"date-parts":[[2005,5,15]]},"assertion":[{"value":"2005-05-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}